package com.nCoV.EpidemicSurveillance.config;



import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;



/** 
* @author 作者 罗穆健: 
* @version 创建时间：2020年1月4日 下午9:27:39 
* 类说明 
*/
@Configuration
//@EnableConfigurationProperties(SecurityProperties.class)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Autowired
    private MyFilterSecurityInterceptor myFilterSecurityInterceptor;
	

    @Autowired
    private MyAuthenticationProvider myAuthenticationProvider;
    
    @Autowired
    private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
    @Autowired
    private MyAuthenticationFailHander myAuthenticationFailHander;
    @Autowired
    private UrlAccessDeniedHandler accessDeniedHandler;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    	auth.authenticationProvider(myAuthenticationProvider);
    }
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.addFilterAt(customAuthenticationFilter(),
			    UsernamePasswordAuthenticationFilter.class);
		http
			.authorizeRequests()
			.antMatchers("/js/**", "/css/**", "/images/**", "/common/**", "/public/**", "/favicon.ico", "/webjars/**", "/Login",
					"/noLoginRequired/**","/plugins/**","/index","/userMsg","/userArea")
			.permitAll() // 匿名可以访问	
			.anyRequest()
			.authenticated()
//			.and()
//			.headers().frameOptions().disable()// 不拦截iframe
			.and()
			.formLogin()
			.loginPage("/Login")
			.successHandler(myAuthenticationSuccessHandler)
            .failureHandler(myAuthenticationFailHander)
            .and().logout().logoutUrl("/logout").logoutSuccessUrl("/Login")
			.and()
			.csrf()
			.disable()
//			.and()
//            .headers()
//            .frameOptions().sameOrigin(); ; //注销行为任意访问
		;
		http.addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class);
	
		http.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
		http.sessionManagement().maximumSessions(1).expiredUrl("/Login");
	}

	
	@Bean
	CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
	    CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
	    filter.setAuthenticationManager(super.authenticationManagerBean());
	    filter.setFilterProcessesUrl("/Jsonlogin");//不知道有啥用，乱写的url，但是少了不行
	    filter.setAuthenticationSuccessHandler(myAuthenticationSuccessHandler);
	    filter.setAuthenticationFailureHandler(myAuthenticationFailHander);
	    return filter;
	}
	
}
 